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We investigate how contracts can be used to regulate the interaction between processes. To do that, we 
study a variant of the concurrent constraints calculus presented in 12] , featuring primitives for multi- 
party synchronization via contracts. We proceed in two directions. First, we exploit our primitives to 
model some contract-based interactions. Then, we discuss how several models for concurrency can 
be expressed through our primitives. In particular, we encode the 7r-calculus and graph rewriting. 

1 Introduction 

A contract is a binding agreement stipulated between two or more parties, which dictates their rights and 
their duties, and the penalties each party has to pay in case the contract is not honoured. 

In the current practice of information technology, contracts are not that different from those legal 
agreements traditionally enforced in courts of law. Both softwaie and services commit themselves to re- 
spect some (typically weak, if not "without any expressed or implied warranty") service level agreement. 
In the case this is not honoured, the only thing the user can do is to take legal steps against the software 
vendor or service provider. Since legal disputes may require a lot of time, as well as relevant expenses, 
such kinds of contracts serve more as an instrument to discourage users, rather than making easier for 
users to demand their rights. 

Recent research has then addressed the problem of devising new kinds of contracts, to be exploited 
for specifying and automatically regulating the interaction among users and service providers. See e.g. lH 
|8l[TT][T3l|20l, to cite a few. A contract subordinates the behaviour promised by a client (e.g. "I will pay 
for a service X") to the behaviour promised by a service (e.g. "I will provide you with a service Y"), and 
vice versa. The crucial problems are then how to formaUse the concept of contract, how to understand 
when a set of contracts gives rise to an agreement among the stipulating parties, and how to actually 
enforce this agreement in an open, and possibly unreliable, environment. 

In the Concurrent Constraint Programming (CCP) paradigm |[23ll24l . concurrent processes commu- 
nicate through a global constraint store. A process can add a constraint c to the store through the telle 
primitive. Dually, the primitive askc makes a process block until the constraint c is entailed by the store. 
Very roughly, such primitives may be used to model two basic operations on contracts: a telle is for 
pubhshing the contract c, and an askc' is for waiting until one has to fulfill some duty c'. 

While this may suggest CCP as a good candidate for modelling contract-based interactions, some 
important features seem to be missing. Consider e.g. a set of parties, each offering her own contract. 
When some of the contracts at hand give rise to an agreement, all the involved parties accept the contract, 
and start interacting to accomplish it. A third party (possibly, an "electronic" court of law) may later on 
join these parties, so to provide the stipulated remedies in the case an infringement to the contract is 
found. To model this typical contract-based dynamics, we need the ability of making all the parties 
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involved in a contract synchronise when an agreement is found, establishing a session. Also, we need to 
allow an external party to join a running session, according to some condition on the status of the contract. 

In this paper we study a variant of [2], an extension of CCP which allows for modelling such kinds 
of scenarios. Our calculus features two primitives, called fuse and join: the first fuses all the processes 
agreeing on a given contract, while the second joins a process with those akeady participating to a 
contract. Technically, the prefix fuse^c probes the constraint store to find whether it entails c; when this 
happens, the variable x is bound to a fresh session identifier, shared among the parties involved in the 
contract. Such parties are chosen according to a local minimal fusion policy. The prefix join is similar, 
yet it looks for an already existing session identifier, rather than creating a fresh one. While our calculus 
is undogmatic about the underlying constraint system, in the contract-based scenarios presented here we 
commit ourselves to using PCL formulae ||2l as constraints. 

Contributions. Our contribution consists of the following points. In Sect. |2] we study a calculus for 
contracting processes. Compai^ed to the calculus in Jll, the one in this paper differs in the treatment of 
the main primitives fuse and join, which have a simplified semantics. Moreover, we also provide here 
a reduction semantics, and compare it to the labelled one. In Sect. [3] we show our calculus suitable for 
modelling complex interactions of contracting parties. In Sect.|4]we substantiate a statement made in 111, 
by showing how to actually encode into our calculus some common concuiTcncy idioms, among which 
the TT-calculus |[T9l and graph rewriting |f2TI|. In Sect. [5] we discuss further differences between the two 
calcuh, and compare them with other frameworks. 

2 A contract calculus 

We now define our calculus of contracting processes. The calculus is similar to that in [21, yet it diverges 
in the treatment of the crucial primitives fuse and join . We will detail the differences between the two 
versions in Sect. [5] Our calculus features both names, ranged over by n,m, and variables, ranged 

over by x,y, Constraints are terms over variables and names, and include a special element ±; the set 

of constraints D is ranged over by c,d. Our calculus is parametric with respect to an arbitrary constraint 
system (D,h) (Def.lB. 

Definition 1 (Constraint system II24I ) A constraint system is a pair (D, h), where D is a countable set, 
and h C ^(D) x D is a relation satisfying: (i) C\- c whenever c GC; ( ii) Che whenever for all d G C 
we have C h c', and C' h c; ( Hi) for any c, C \- c whenever Ch ±. 

Syntax. Names in our calculus behave similai^ly to the names in the TT-calculus: that is, distinct names 
represent distinct concrete objects. Instead, variables behave as the names in the fusion calculus: that 
is, distinct variables can be bound to the same concrete object, so they can be fused. K fusion a is a 
substitution that maps a set of variables to a single name. We write a = {"/x] for the fusion that replaces 
each variable in x with the name n. We use metavariables a, ft, ... to range over both names and variables. 

Definition 2 (Processes) The set of prefixes and processes are defined as follows: 

n ::= T | telle | checkc | askc | join-(.c | fusevC (prefixes) 
P ■■=c\ Liei^i-Pi I P\P I (^)-f I ^(^) (processes) 

Prefixes 7i include T (the silent operation as in CCS), as well as tell , check and ask as in Concurrent 
Constraints |[24ll . The prefix telle augments the context with the constraint c. The prefix checkc checks 
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if c is consistent with the context. The prefix askc causes a process to stop until the constraint c is 
entailed by the context. The prefixes fuse^c and join^ c drive the fusion of the variable x, in two different 
flavours. The prefix join^c instantiates x to any known name, provided that after the instantiation the 
constraint c is entailed. The prefix fusevC fuses x with any set of known variables, provided that, when 
all the fused variables are instantiated to a fresh name, the constraint c is entailed. To avoid unnecessary 
fusion, the set of variables is required to be minimal (see Def. |7]). To grasp the intuition behind the two 
kinds of fusions, think of names as session identifiers. Then, a fusevC initiates a new session, while a 
joiri-^c joins an already initiated session. 

Processes P include the constraint c, the summation Y^iei ^i-^i of guarded processes over indexing set 
/, the parallel composition P\Q, the scope delimitation {a)P, and the instantiated constant X (a), where a 
is a tuple of names/variables. When a constraint c is at the top-level of a process, we say it is active. We 
use a set of defining equations {X, (x) = P, }; with the provision that each occurrence of Xj in Pk is guarded, 
i.e. it is behind some prefix. We shall often use C = {ci ,C2, . . .} as a process, standing for ci |c2| • • • . We 
write for the empty sum. Singleton sums are simply written Ti.P. We use + to merge sums as follows: 
Y^iei ^i-Pi + T^ieJ ^i-Pi = Lie/u/ ^i-Pi if / n 7 = 0. We stipulate that + binds more tightly than | . 

Free variables and names of processes are defined as usual: they are free whenever they occur in 
a process not under a delimitation. Alpha conversion and substitutions ai^e defined accordingly. As a 
special case, we let (fusevc){"/jr} = (join^.c){"/x} = askc{"/v}. That is, when a variable x is instantiated 
to a name, the prefixes fusCvC and join^ c can no longer require the fusion of x, so they behave as a plain 
askc. Henceforth, we will consider processes up-to alpha-conversion. 

We provide our calculus with both a reduction semantics and a labelled transition semantics. As usual 
for CCP, the former explains how a process evolves within the whole context (so, it is not compositional), 
while the latter also explains how a process interacts with the environment. 

Reduction semantics. The structural equivalence relation = is the smallest equivalence between pro- 
cesses satisfying the following axioms: 

P\0 = P P\Q = Q\P P\{Q\R) = {P\Q)\R P + = P P + Q = Q + P P+ (Q + R) = (P + Q) +R 

ia){P\Q)=P\{a)Q {ia(^free{P) {a){b)P = {b){a)Q X(a)=P{"/?} ifX{x)=P 
Definition 3 (Reduction) Reduction — t- is the smallest relation satisfying the rules in Fig. [7] 

We now comment the rules for reduction. Rule Tau simply fires the T prefix. Rule Tell augments the 
context (R) with a constraint c. Similarly to ['24], we do not check for the consistency of c with the other 
constraints in R. If desired, a side condition similar to that of rule Check (discussed below) can be added, 
at the cost reduced compositionality. As another option, one might restrict the constraint c in tell c.P to a 
class of coherent constraints, as done e.g. in 12]. Rule Ask checks whether the context has enough active 
constraints C so to entail c. Rule Check checks the context for consistency with c. Since this requires 
inspecting every active constraint in the context, a side condition precisely separates the context between 
C and R, so that all the active constraints are in C, which in this case acts as a global constraint store. 

Rule Fuse replaces a set of variables xy with a bound name n, hence fusing all the variables together. 
One variable in the set, x, is the one mentioned in the fuse^c prefix, while the others, y, are taken from 
the context. The replacement of variables is done by the substitution a in the rule premises. The actual 
set of variables y to fuse is chosen according to the minimal fusion policy, formally defined below. 

Definition 4 (Minimal Fusion) A fusion o = {«/?} is minimal /or C,c, written C h™'" c, iff: 

Co^co A $wCz : C{Vvtl h c{"/v5'} 
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[Tau] [Tell] 

(fl) {t.P + Q I R) (a) (P I R) (a) (tellcP + g | R) -^{a){c\P\ R) 

c C,c\/ J- R free from active constraints 

[Ask] [Check] 



{a){C\askc.P + Q\R)^{a){C\P\R) (a) {C \ checkc.P + Q \ R) ^ (a) {P \ R) 

a = {"/^-} n fresh in P, Q,R, C,c,a C h"^'" c 



(xya) (C I fuse.vC.P + Q\R)^ {no) {{C\P\ R) a) 



[Fuse] 



C{«/a} h c{n/x} P = P' ~^Q' = Q 

[Join] [Struct] 



{xna) (C I join^c.P + e I R) {no) {{C\P\ R){"/x}) P Q 

Figure 1 : The reduction relation 



A minimal fusion a must cause the entailment of c by the context C. Furthermore, fusing a proper 
subset of variables must not cause the entailment. The rationale for minimality is that we want to fuse 
those variables only, which are actually involved in the entailment of c - not any arbitrary superset. Prag- 
matically, we will often use fusejC as a construct to establish sessions: the participants are then chosen 
among those actually involved in the satisfaction of the constraint c, and each participant "receives" the 
fresh name n through the application of a. In this case, n would act as a sort of session identifier. 

Note that the context R in rule Fuse may contain active constraints. So, the fusion a is actually 
required to be minimal with respect to a subset C of the active constraints of the whole system. Techni- 
cally, this will allow us to provide a compositional semantics for fuse^c. Also, this models the fact that 
processes have a "local" view of the context, as we will discuss later in this section. 

Rule Join replaces a variable x with a name n taken from the context. Note that, unlike Fuse, n is 
not fresh here. To enable a join^c prefix, the substitution must cause c to be entailed by the context C. 
Intuitively, this prefix allows to "seaixh" in the context for some x satisfying a constraint c. This can also 
be used to join a session which was previously established by a Fuse. 

Note that rules Fuse and Join provide a non-deterministic semantics for prefixes fuse and join since 
several distinct fusions a could be used to derive a transition. Each a involves only names and variables 
occurring in the process at hand, plus a fresh name n in the case of fuse . If we consider n up-to renaming, 
we have a finite number of choices for o. Together with guarded recursion, this makes the transition 
system to be finitely-branching. 

Rule Struct simply allows us to consider processes up-to structural equivalence. 



Transition semantics. We now present an alternative semantics, specified through a labelled transition 
relation. Unlike the reduction semantics, the labelled relation — > is compositional: all the prefixes can 
be fired by considering the relevant portion of the system at hand. The only exception is the checkc 
prefix, which is inherently non-compositional. We deal with checkc by layering the reduction relation 
^ over the relation — >. While defining the transition semantics, we boiTow most of the intuitions from 
the semantics in 111. The crucial difference between the two is how they finalize the actions generated 
by a fuse (rule CloseFuse). Roughly, in |l2j| we need a quite complex treatment, since there we have to 
accommodate with "principals" mentioned in the constraints. Since here we do not consider principals, 
we can give a smoother treatment. We discuss in detail such issues in Sect. |5] 
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We start by introducing in Def.[5]the actions of our semantics, that is the set of admissible labels of 
the LTS. The transition relation is then presented in Def.[6l 

Definition 5 (Actions) Actions a are as follows, where C denotes a set of constraints. 

a ::= T I C I Che I Chf c I Ch-Jc I C^_L I (a)a 

The action T represents an internal move. The action C advertises a set of active constraints. The 
action Ch c is a tentative action, generated by a process attempting to fire an askc prefix. This action 
canies the collection C of the active constraints discovered so far. Similarly for Ch^ c and fuse^c, for 
C\-{c and join^c, as well as for CI/ _L and check c. In the last case, C includes c. The delimitation in 
{a)a is for scope extrusion, as in the labelled semantics of the Ti-calculus |[22l. We write {a)a to denote 
a set of distinct delimitations, neglecting their order, e.g. {ab) = (ba). We simply write {ab) for (aUb). 

Definition 6 (Transition relation) The transition relations — > are the smallest relations between pro- 
cesses satisfying the rules in Fig. \2\ The last two rules in Fig. \2\define the reduction relation 

Many rules in Fig. [2] are rather standard, so we comment on the most peculiar ones, only. Note in 
passing that = is not used in this semantics. The rules for prefixes simply generate the corresponding 
tentative actions. Rule Constr advertises an active constraint, which is then used to augment the tentative 
actions through the Par* rules. Rule Open lifts a restriction to the label, allowing for scope extrusion. 
The Close* rules put the restriction back at the process level, and also convert tentative actions into T. 

The overall idea is the following: a tentative action label carries all the proof obligations needed to 
fire the con^esponding prefix. The Par* rules allow for exploring the context, and augment the label with 
the observed constraints. The Close* rules check that enough constraints have been collected so that the 
proof obligations can be discharged, and transform the label into a T. 

The Top* rules act on the top-level, only, and define the semantics of check c. 

The side condition of rule CloseFuse involves a variant of the minimal fusion relation we used 
previously. As for the reduction semantics, we require a to be minimal, so not to fuse more variables 
than necessary. Recall however that in the reduction semantics minimality was required with respect to a 
part of the active constraints at hand. In our labelled semantics, rules Par* collect each active constraint 
found in the syntax tree of the process. If we simply used C h™'" c in CloseFuse, we would handle the 
following example differently. Let C = q(3') | q(z) Vs — > p(3'), let P = (x)(3;)(z)(fuse;rP(-^)-P I C | s), and 
let Q = (x)(3;)(z)(fuse,v p(x)./' | C) | s. In P we must collect s before applying CloseFuse, and so 0\ = 
{"/a>} would be the only minimal fusion. Instead in Q we can also apply CloseFuse before discovering s, 
yielding the minimal fusion 02 = {"/xyz). This would be inconsistent with = (and our reduction semantics 
as well). To recover this, we instead require in CloseFuse the following relation, stating that a must be 
minimal with respect to a part of the observed constraints, only. 

Definition 7 (Local Minimal Fusion) A fusion o = {"/?} is local minimal /or C,c, written C \-'^'^ c, iff: 

3C'QC : C' h™" c 

While we did not use structural equivalence in the definition of the labelled transition semantics, it 
turns out to be a bisimulation. 

Theorem 1 The relation = is a bisimulation, i.e.: P = Q ^ Q' =^ 3P'. P ^ P' = Q'. 

We also have the expected correspondence between the reduction and labelled semantics. 
Theorem 2 P P' 3Q, Q'.P = Q^Q' = P' 

The right impUcation is by rule induction. To prove the left implication, an induction argument on 
Q Q' suffices, exploiting the fact that all the constraints of Q are accumulated in the label. 
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T.P^P [Tau] askc.P-^P [Ask] te\\c.P^c\P [Tell] 

{cW± , 0hfc 0Kc 

checkc.P > P [Check] fuse.vC.P— [Fuse] join.c.P— [Join] 

M M [CONSTR] Y.i^i-Pi -^Hi^i-Pi [IDLESUM] 

p^p'q'^q' P^P'Q^^Q' 

[ParConstr] — ; [ParAsk] 



p\Q ^^^^ p'\a p\Q p'\a 

pl^p, QC^)iC'^^ Q, P^P'Q^h^Q' 

[ParFuse] — — [ParJoin] 



p1^P^q1^}^q' pl,p' 

[ParCheck] [ParTau] 

P\Q ("^)(cucV±)^ P\Q'^P'\Q' 

nj.Pj A P' P{«/.v} ^P' P^P' 

[Sum] ^-^ ifX(x) =P[Def] ifa^a[DEL] 



I, K,.Pi ^ P' X{a) ^ P' {a)P ^ {a)P' 

P^P' p^^)^p, 

[Open] if Ch c [CloseAsk] 



[CloseFuse] 



P A («fl)(P'c7) 

if , I \ [CloseJoin] [TopTau] 

P A {na)P'a ^ = i"A) P ^ P' 

if CI/± [TopCheck] 



p ^ (fl)p' 

Figure 2: The labelled transition relation. Symmetric rules for +, | are omitted. The rules Par* have the 
following no-capture side condition: a is fresh in b,C' ,c,x, Q' , while b is fresh in C,P' . 

3 Examples 

We illustrate our calculus by modelling scenarios where the interaction among parties is driven by con- 
tracts. In all the examples below, we use as constraints a smooth extension of the propositional contract 
logic PCL m. A comprehensive presentation of PCL is beyond the scope of this paper, so we give here 
just a broad overview, and we refer the reader to lEHH for all the technical details and further examples. 

PCL is an extension of intuitionistic propositional logic IPC |[25l . featuring a contractual implication 
connective Differently from IPC, a "contract" b -» a implies a not only when b is true, like IPC 
implication, but also in the case that a "compatible" contract, e.g. a -» b, holds. So, PCL allows for sort 
of "circular" assume-guarantee reasoning, summarized by the theorem h (b ^ a) A (a -» b) — > a A b. 
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The proof system of PCL extends that of IPC with the following axioms: 

T ^ T {p^ p)^p {p ^ p) ^ {p ^ q) ^ {q ^ q) ^ {p q) 

A main result about PCL is its decidability, proved via cut elimination. Therefore, we can use the 
(decidable) provability relation of PCL as the entailment relation H of the constraint structure. 

Example 1 (Greedy handshaking) Suppose there are three kids who want to play together. Alice has 
a toy airplane, Bob has a bike, while Carl has a toy car. Each of the kids is willing to share his toy, but 
only provided that the other two kids promise they will lend their toys to him. So, before sharing their 
toys, the three kids stipulate a "gentlemen's agreement" , modelled by the following PCL contracts: 

CAiice{x) = (b(x) Ac(x)) ^ z{x) CBob{y) = (a(y) Ac(3;)) ^ b(>') ca„./(z) (a(z) A b(z)) ^ c(z) 

Alice's contract CAikeix) says that Alice promises to share her airplane in a session x, written a{x), 
provided that both Bob and Carl will share their toys in the same session. Bob 's and Carl 's contracts 
are dual. The proof system of PCL allows to deduce that the three kids will indeed share their toys in 
any session n, i.e. CAUcein) A CBobip) A Ccm-lin) — > a(«) A h{n) A c{n) is a theorem of PCL. We model 
the actual behaviour of the three kids through the following processes: 

Alice = (x) (tell 

Carl — (z) (tellcQ„./(z). f use^ c (z). /e«c^C) 
A possible trace of the LTS semantics is the following: 

Alice I Bob \ Carl (x) (cAUceix) \ fuseva(x). Ze«(i4) | Bob \ Carl 
A (x) (cAiiceix) I fusexa(x)./e«cM) | (y) {csobiy) I fuseyb()')./eniiB) | Carl 

^ {x) {cAiice{x) I fusexa(x)./e«cM) | {y) {cBob{y) \ fuseyh{y).lendB) \ (z) (ca,w(z) | fuse^ c{z).lendC) 
(«) [cAiice{n) I lendA{"/x} \ CBoh{n) \ ask b(n).Ze«c/B{«/.v} | ccad{n) \ askc(n)./e«c/C{"/v}) 

^ in) {cAiice{n) I lendA{n/x} \ csobin) \ lendB{"/y} \ ccarl{n) \ askc(n)./e«c/C{n/y}) 
(n) {cAiice{n) I lendA{"/x} \ CBob{n) \ lendB{"/y} \ ccarl{n) \ lendC{"/y}) 

In step one, we use Tell, ParTau, Del to fire the prefix teWcAikeix)- Similarly, in steps two and three, we 
fire the prefixes teW CBob{y) cmd t&Wccariiz)- Step four is the crucial one. There, the prefix fuse,:a(x) is 
fired through rule Fuse. Through rules Constr.ParFuse, we discover the active constraint CAiice{x)- We 
use rule Open to obtain the action {x){cAnce{x)^ a{x)for the Alice part. For the Bob part, we use rule 
CoNSTR to discover cgobiy), which we then merge with the empty set of constraints obtained through rule 
IdleSum; similarly for Carl. We then apply Open twice and obtain {y){cBob{y)} cind {z){ccarl{z)}- At 
the top level, we apply ParFuse to deduce {x,y,z){cAUce{x),CBob{y),ccari{z)} l~f a(x). Finally, we apply 
CloseFuse, which fuses x, y and z by instantiating them to the fresh name n. It is easy to check that 
{cAUce{x),CBob{y),c Cadiz)} 1"'^^^^' a(x) where o = {"/xyz}. Note that all the three kids have to cooperate, 
in order to proceed. Indeed, fusing e.g. only x andy would not allow to discharge the premise c{z)from 
the contracts caucc cmd CBob, hence preventing any fuse prefix from being fired. 

Example 2 (Insured Sale) A seller S will ship an order as long as she is either paid upfront, or she 
receives an insurance from the insurance company I, which she trusts. We model the seller contract as 
the PCL formula s{x) = order(x) A (pay(x) V insurance(x)) ship(x) where x represents the session 
where the order is placed. The seller S is a recursive process, allowing multiple orders to be shipped. 

S = {x)te\\s{x).^usexSh\p{x).{S\doShip{x)) 
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The insurer contract i{x) = premium — » insurance(;c) plainly states that a premium must be paid 
upfront. The associated insurer process I is modelled as follows: 

I = (;c)tell/(;c).fuse;cinsurance(A;). (^I \ T.check^pay{x).{refundS{x) \ debtCollect{x))) 

When the insurance is paid for, the insurer will wait for some time, modelled by the z prefix. After that, 
he will check whether the buyer has not paid the shipped goods. In that case, the insurer will immediately 
indemnify the seller, and contact a debt collector to recover the money from the buyer. Note that S and I 
do not explicitly mention any specific buyer. As the interaction among the parties is loosely specified, 
many scenarios are possible. For instance, consider the following buyers Bo, 81,82, B^: 

bQ{x) = ship(x) order(x) A pay(x) Bo = {x)te\\bo{x).receive{x) 

bi{x) = ship(x) ^ order(x) A premium(x) B\ = {x)te\\bi{x). {receive{x) \ T.te\\pay{x)) 

b2{x) = order(x) A pay(x) B2 = Bo{*2Ao} 

bi{x) ~ order(x) A premium(x) B3 = Z?o{*3/^o} 

The buyer Bq pays upfront. The buyer B\ will pay later, by providing the needed insurance. The 
"incautious " buyer B2 will pay upfront, without asking any shipping guarantees. The buyer S3 is insured, 
and will not pay. The insurer will then refund the seller, and start a debt collecting procedure. This is 
an example where a violated promise can be detected so to trigger a suitable recovery action. The 
minimality requirement guarantees that the insurer will be involved only when actually needed. 

Example 3 (Automated Judge) Consider an online market, where buyers and sellers trade items. The 
contract of a buyer is to pay for an item, provided that the seller promises to send it; dually, the contract 
of a seller is to send an item, provided that the buyer pays. A buyer first issues her contract, then waits 
until discovering she has to pay, and eventually proceeds with the process CheckOut. At this point, 
the buyer may either abort the transaction (process NoPay), or actually pay the item, by issuing the 
constraint paid(j:). After the item has been paid, the buyer may wait for the item to be sent ('asksent(;c)J, 
or possibly open a dispute with the 5'eZZer ftelldispute(x)j. Note that, as in the real world, one can always 
open a dispute, even when the other party is perfectly right. 

Buyer = {x) (tell send(;c) -» pay(;c). fuse^ pay(;c). C/j^c/cOm?) 
Checkout = T.A^oPa3' + T. tell paid (x).(t. tell dispute(x) + ask sent(x)) 

The behaviour of the seller is dual: issue the contract, wait until she has to send, and then proceed with 
Ship. There, either choose not to send, or send the item and then wait for the payment or open a dispute. 

Seller = {y) (tellpay(3') ^ send (j). fuse,, send (j).5/i;'p) 
Ship = T.NoSend + T.te.\\sent{y).{T.X.e.\\d\s'pute.{y) + ask paid(3')) 

To automatically resolve disputes, the process Judge may enter a session initiated between a buyer and 
a seller, provided that a dispute has been opened, and either the obligations pay or send have been 
inferred. This is done through the join^ primitive, which binds the variable z to the name of the session 
established between buyer and seller. If the obligation pay(z) is found but the item has not been paid 
(i.e. check-ipaid(z) pa^^e^j, then the buyer is convicted (by jailBuyer{z), not further detailed). Similarly, 
if the obligation send(z) has not been supported by a corresponding sent(z), the seller is convicted. 

Judge = (z) (join, (pay(z) Adispute(z)).check-ipaid(z).7fl://BMjer(z) | 
join, (send(z) A dispute(z)). check -isent(z) .7a'//5'eZZer(z)) 
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A possible trace of the LTS semantics is the following: 

Buyer\Seller\Judge («) (send(«) -» pay(n) | paid(n) | telldispute(«) | pay(«) send(«) \NoSend) \ Judge 
A («) (send(n) pay(n) | paid(n) | dispute(n) | pay(n) -» send(n) \ NoSend\dneck^s&nt{n).jailSeller{n) | • • •) 
A- in) (jailSeller{n) | ■ ■ ■ ) 

A more complex version of this example is in also dealing with the identities of the principals 
performing the relative promises. The simplified variant presented here does not require the more general 
rule for fuse found in 

Example 4 (AU-you-can-eat) Consider a restaurant offering an all-you-can-eat buffet. Customers are 
allowed to have a single trip down the buffet line, where they can pick anything they want. After the 
meal is over, they are no longer allowed to return to the buffet. In other words, multiple dishes can be 
consumed, but only in a single step. We model this scenario as follows: 

Buffet^ (x) (pasta(x) | chicken(x) | cheese(x) | fruit(x) | cake(x)) 

Bob ~ (x) fuse,v pasta (x) A chicken{x). SatiatedB Carl — (x) fuse,- pasta (x).fuse:cChicken(x).5'flr/flreiiC 

The Buffet can interact with either Bob or Carl, and make them satiated. Bob eats both pasta and 
chicken in a single meal, while Carl eats the same dishes but in two different meals, thus violating the 
Buffet policy, i.e.: Buffet \ Carl — )>* SatiatedC \ P. Indeed, the Buffet should forbid Carl to eat the 
chicken, i.e. to fire the second fuse.v. To enforce the Buffet policy, we first define the auxiliary operator ©. 
Let {pi)iei be VC\^ formulae, let r be afresh prime, o afresh name, and z, {zi)iei fresh variables. Then: 

®ieiPi = io)iz)iZi)ieiiirio,z) \ ||/e/r(o,z;) ^ ;?,■) 

To see how this works, consider the process (Biei Pi\Q where Q fires a fusev which demands a subset of 
the constraints {pi)iej with J QI. To deduce pi we are forced to fuse Zi with z (and x); otherwise we can 
not satisfy the premise r{o,Zi). Therefore all the {zi)iej are fused, while minimality of fusion ensures that 
the {Zi)iei\j are not. After fusion we then reach: 

{o){m){{zi)iei\j{\\iei\jf{o,Zi)^Pi)\\\iej{r{o,m)\r{o,m) Pi)) \ Q' 

where m is afresh name resulting from the fusion. Note that the {pi)iei\j can no longer be deduced 
through fusion, since the variable z was "consumed" by the first fusion. The rough result is that (BiPi 
allows a subset of the {pi)iei to be demanded through fusion, after which the rest is no longer available. 
We can now exploit the © operator to redefine the Buffet as follows: 

Buffet' = (x)(pasta(x) ©chicken(x) © cheese(x) © fruit(x) © cake(x)) 

The new specification actually enforces the Buffet policy, i.e.: Buffet' | Carl -/^* SatiatedC \ P. Note that 
the operator © will be exploited in Sect. when we will encode graph rewriting in our calculus. 

4 Expressive power 

We now discuss the expressive power of our synchronization primitives, by showing how to encode some 
common concurrency idioms into our calculus. 
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Semaphores. Semaphores admit a simple encoding in our calculus. Below, n is the name associated 
with the semaphore, while x is a fresh variable. P{n) and V («) denote the standard semaphore operations, 
and process Q is their continuation. 

P{n).Q ^ (x) fuse^p(«,x).e V{n).Q = (x) tellp(«,x).e 

Each fusevp(?i,x) instantiates a variable x such that p{n,x) holds. Of course, the same x cannot be 
instantiated twice, so it is effectively consumed. New variables are furnished by V{n). 

Memory cells. We model below a memory cell. 

New{n,\').Q = {x)te\\c{n,x) /\d{x,v).Q 

Get{n,y).Q = (w)fuse,t.c(n, w).join,,d(w,}').A^ew(«,}').2 Set{n,v).Q = {w)fusexc{n,w).New{n,\').Q 

The process New{n,v) initializes the cell having name n and initial value v (a name). The process 
Get{n,y) recovers v by fusing it with y: the procedure is destructive, hence the cell is re-created. The 
process Set{n,v) destroys the current cell and creates a new one. 

Linda. Our calculus can model a tuple space, and implement the insertion and retrieval of tuples as in 
Linda |[T4l . For illustration, we only consider p-tagged pairs here. 

Out{w,y).Q = {x)te\\p{x) Api{x,w) Ap2{x,y).Q In{w,y).Q = (jc)fuse.^ pi (x, w) A P2(x,y).2 

In{lw,y).Q = (x)fuse;rP2(x,y).join,,pi(x,w).2 In{w,ly).Q = (x)fuse.,-pi(x,w).join,,,p2(x,y).2 

In{lw,ly).Q = (x)fuse.vp(x).join„,pi(x,w).joinyP2(x,y).e 

The operation Out inserts a new pair in the tuple space. A fresh variable x is related to the pair com- 
ponents through suitable predicates. The operation In retrieves a pair by pattern matching. The pattern 
In{w,y) mandates an exact match, so we require that both components are as specified. Note that fuse 
will instantiate the variable x, effectively consuming the tuple. The pattern In{7w,y) requires to match 
only against the y component. We do exactly that in the fuse prefix. Then, we use join to recover the 
first component of the pair, and bind it to w. The pattern In{w, 7y) is symmetric. The pattern In{7w, ly) 
matches any pair, so we specify a weak requirement for the fusion. Then we recover the pair components. 

Synchronous 7r-calculus. We encode the synchronous 7r-calculus |fT9l into our calculus as follows: 

[P\Q] = [P] I [Q] [ivn)P] = {n)[P] [Xid)] =X{a) [X{y)=P] =X{y) = [P] 

[a{b).P] = (x)(msg(x,fo) | fuse.v in(fl,x). [P]) (x fresh) 

[a{z).Q] = {y){\n{a,y) \ (z)join, msg(3/,z). [Q]) (y fresh) 

Our encoding preserves parallel composition, and maps name restriction to name delimitation, as one 
might desire. The output cannot proceed with P until x is fused with some y. Dually, the input cannot 
proceed until y is instantiated to a name, that is until y is fused with some x - otherwise, there is no way 
to satisfy msg(3',z). 

The encoding above satisfies the requirements of ifTSl . It is compositional, mapping each n con- 
struct in a context of our calculus. Further, the encoding is name invariant and preserves termination, 
divergence and success. Finally it is operationally corresponding since, writing -^ji for reduction in n, 

P^IP' =^ [P] [P'] 
[P] ^* Q ^ 3P'. Q [P'] AP^lP' 
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where ~ is ^-bisimilarity. For instance, note that: 

[ivm){n{m).P\n{z).Q)] ^* H(o)(msg(o,m)|[P]|in(«,o)|[!2]W,v}) ~ Hl^lGW-v}] 

since the name o is fresh and the constraints msg(o,m), in(?i,o) do not affect the behaviour of P,Q. To 
see this, consider the inputs and outputs occurring in P, Q. Indeed, in the encoding of inputs, the fuse^ 
prefix will instantiate ;c to a fresh name, hence not with o. On the other hand, in the encoding of outputs, 
the join- prefix can fire only after y has been fused with x, hence instantiated with a fresh name. The 
presence of msg(o,m) has no impact on this firing. 

Note that our encoding does not handle non-deterministic choice. This is however manageable 
through the very same operator © of Ex. H] We will also exploit © below, to encode graph rewriting. 

4.1 Graph rewriting 

In the encoding of the Ti-calculus we have modelled a simple interaction pattern; namely, Milner-style 
synchronization. Our calculus is also able to model more sophisticated synchronization mechanisms, 
such as those employed in graph rewriting techniques fT\\ . Before dealing with the general case, we 
introduce our encoding through a simple example. 

Example 5 Consider the following "ring-to-star" graph rewriting rule, inspired from an example in M7^ : 




Whenever the processes A\...An are in a configuration matching the left side of the rule (where the 
bullets represent shared names) a transition is enabled, leading to the right side. The processes change 
to B\.. .B4, and afresh name is shared among all of them, while the old names are forgotten. Modelling 
this kind of synchronization in, e.g., the n-calculus would be cumbersome, since a discovery protocol 
must be devised to allow processes to realize the transition is enabled. Note that no process is directly 
connected to the others, so this protocol is non-trivial. 

Our calculus allows for an elegant, symmetric translation of the rule above, which is interpreted as 
an agreement among the processes A\.. .A4. Intuitively, each process Ai promises to change into Bi, and 
to adjust the names, provided that all the others perform the analogous action. Since each A,- shares two 
names with the other processes, we write it as Ai{n,m). The advertised contract is specified below as 
a PCh formula, where we denote addition and subtraction modulo four as ffl and B, respectively: 

ai{n,m,x) = f;gi (x,m) A S;bi ^ f;(x,n) A s,-(x,m) (1) 

An intuitive interpretation o/f,s is as follows: fi{x,n) states that n is the first naine of some process 
Aj{n, —) which is about to apply the rule. Similarly for Si{x,m) and the second name. The parameter x is 
a session ID, uniquely identifying the current transition. The contract ai{n,m,x) states that A i agrees to 
fire the rule provided both its neighbours do as well. The actual Ai process is as follows. 

Ai{n,m) = {x)te\\ai{n,rn,x).fusex^i{x,n) ASi{x,m).Bi{x) 

Our PCL logic enables the wanted transition: P = ^* 

Note that the above works even when nodes are shared among multiple parallel copies of the same 
processes. For instance, P\P will fire the rule twice, possibly mixing Ai components between the two P's. 
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General Case. We now deal with the general case of a graph rewriting system. 

Definition 8 An hypergraph G is a pair {Vq^Eq) where Vq is a set of vertices and Eq is a set of hyper- 
edges. Each hyperedge e € Eq has an associated tag tag(e) and an ordered tuple of vertices (ei , . . . , Ck) 
where ej € Vg- The tag tag{e) uniquely determines the arity k. 

Definition 9 A graph rewriting system is a set of graph rewriting rules {Gi =^ //,},• where Gi,Hi are 
the source and target hypergraphs, respectively. No rule is allowed to discard vertices, i.e. Vg, ^ V//,. 
Without loss of generality, we require that the sets of hyperedges Eq. are pairwise disjoint. 

In Def. [TO]below, we recall how to apply a rewriting rule G ^ // to a given graph J. The first step is 
to identify an embedding a of G inside /. The embedding a roughly maps H\G to a "fresh extension" 
of / (i.e. to the part of the graph that is created by the rewriting). Finally, we replace o{G) with o{H). 

Definition 10 Let {Gi be a graph rewriting system, and let J be a hypergraph. An embedding a 

ofGi in J is a function such that: (1) C7(v) € Vj for each v G Vq., and o{v) Vj for each v G V//. \ Vq. ; 
(2) a{e) G Ejfor each e G Eq., and cs{e) Ej for each e G £■//,. \Eq. ; (3) a(v) = a(v') v = v' for 
each v,v' G V?/,. \Vg, ; (4) a{e) = a{e') e = e' for each e^e' G Eq. UEhi ; (5) tag{e) = tag{o{e)) for 
each e G Eq-UEhi ; (6) G{e)h = a {en) for each e G Eq.UEh/ and \ <h <k. 

The rewriting relation J ^ K holds iff, for some embedding a, we have Vk = {Vj \ a(VG,)) U CJ(V//, ) 
and Ek = {Ej \ o{EqD) U (j{EHj)- The assumption Vq. C V/^. of Def. \9\ensures Vj C Vk, so no dangling 
hyperedges are created by rewriting. 

We now proceed to encode graph rewriting in our calculus. To simplify our encoding, we make a 
mild assumption: we require each G/ to be a connected hypergraph. Then, encoding a generic hypergraph 
J is performed in a compositional way: we assign a unique name n to each vertex in Vj, and then build 
a parallel composition of processes (H), one for each hyperedge e in Ej, where n = {n\,. .. ,n{) 

identifies the adjacent vertices. Note that since the behaviour of an hyperedge e depends on its tag, only, 
we index A with t = tag{e). Note that t might be the tag of several hyperedges in each source hypergraph 
G, . We stress this point: tag t may occur in distinct source graphs G;, and each of these may have multiple 
hyperedges tagged with t. The process At must then be able to play the role of any of these hyperedges. 
The willingness to play the role of such a hyperedge e relatively to a single node n is modelled by a 
formula pe,h{x,n) meaning "I agree to play the role of e in session x, and my h-th node is n". The session 
variable x is exploited to "group" all the constraints related to the same rewriting. We use the formula 
Pe/,(x,«) in the definition of A,. The process promises pgi{x,ni), . . . , pe^k{x,nk) (roughly, "I agree 
to be rewritten as e"), provided that all the other hyperedges sharing a node nf, agree to be rewritten 
according to their roles e. Formally, the contract related to e G Eq. is the following: 

ae{x,n) = /\ p^f^{x,ni,)^ /\ Pej,{x,nh) (2) 

l<h<k,eeEo:,ej, = eh \<h<k 

Note that in the previous example we indeed followed this schema of contracts. There, the hyper- 
graph / has four hyperedges e\, ei, e^, e^, each with a unique tag. The formulae f,- and s,- in ([Hi are 
rendered as pe,,i and p^^ 2 in ©■ Also the operators ffll and Bl, used in ([T|) to choose neighbours, are 
generalized in Q through the condition e^^ = Cf,. 

Back to the general case, the process At will advertise the contract ag for each e having tag t, and then 
will try to fuse variable x. Note that, since the neighbours are advertising the analogous contract, we can 
not derive any P(,,h{x,nh) unless all the hyperedges in the connected component agree to be rewritten. 
Since G, is connected by hypothesis, this means that we indeed require the whole graph to agree. 



M. Bartoletti & R. Zunino 



79 



However, advertising the contracts using a simple parallel composition can lead to unwanted 
results when non-determinism is involved. Consider two unary hyperedges, which share a node n, and 
can be rewritten using two distinct rules: G ^ H with el,e2 € Eg, and G ^ H with el,e2 € Eq. Let 
tag{el) = tag{el) = tl and tag{e2) = tag{e2) = t2. Each process thus advertises two contracts, e.g.: 

At\ = [x) {ae\{x,n) \ ag\{x,n) \ Fusioriti) A,2 = (x) {ag2{x,n) j ag2{x,n) | Fusion^) 

Consider now A,i | At2- After the fusion of x, it is crucial that both hyperedges agree on the rewriting 
rule that is being applied - that is either they play the roles of el, e2 or those of e\,e2. However, only 
one Fusion process above will perform the fusion, say e.g. the first one (the name m below is fresh): 

{m){aei{m,n)\agi{m,n) \Rewritee \\ae2{m.,n)\ae2{m,n)\Fusiont2{'"/x}) 

Note that the process Fusiont2{'"/x} can still proceed with the other rewriting, since the substitution 
above cannot disable a prefix which was enabled before. So, we can end up with Rewriteg2, leading to 
an inconsistent rewriting. Indeed, A,i was rewritten using G ^ H, while At2 according to G ^ H. 

To avoid this, we resort to the construction (BiPi discussed in Ex. H] We can then define A, as follows. 

At(n) = {x){ ae{x,n)\ ^ fuse^ f\ p,._„(;c,n/,).Be(^,«)) 

tag{e)=t tag{e)=t l<h<k 

In each A,, the contracts are exposed under the ®. The consequences of these contracts are then 
demanded by a sum of fuse;c . We defer the definition of Bg. 

Consider now the behaviour of the encoding of a whole hypergraph: At{n)\--- \A,i{n'). If the hyper- 
graph / contains an occurrence of G, where G ^ // is a rewriting rule, each of the processes involved 
in the occurrence Pi,... ,Pi may fire a fuse;^ prefix. Note that this prefix demands exactly one contract 
Oe from each process inside of the occurrence of G. This is because, by construction, each under the 
same © involves distinct „. This implies that, whenever a fusion is performed, the contracts which are 
not directly involved in the handshaking, but are present in the occurrence of G triggering the rewriting, 
are then effectively disabled. In other words, after a fusion the sums in the other involved processes have 
exactly one enabled branch, and so they are now committed to apply the rewriting coherently. 

After the fusion Bf,{x,n) is reached, where x has been instantiated with a fresh session name m which 
is common to all the participants to the rewriting. It is then easy to exploit this name m to reconfig- 
ure the graph. Each involved vertex (say, with name n) can be exposed to all the participants through 
e.g. tell vert/;(m,n), and retrieved through the corresponding join,, vert/, Since m is fresh, there is 
no risk of interference between parallel rewritings. New vertices (those in Vh \ Vq) can be spawned and 
broadcast in a similar fashion. Once all the names are shared, the target hypergraph H is formed by 
spawning its hyperedges Eh through a simple parallel composition of At {n) processes - each one with 
the relevant names. Note that the processes At, where t ranges over all the tags, are mutually recursive. 

Correctness. Whenever we have a rewriting J ^ K, it is simple to check that the contracts used in 
the encoding yield an handshaking, so causing the coiTcsponding transitions in our process calculus. The 
reader might wonder whether the opposite also holds, hence establishing an operational correspondence. 
It turns out that our encoding actually allows more rewritings to take place, with respect to Def.[TOl Using 
the Aj from Ex. [51 we have that the following loop of length 8 can perform a transition. 

P=Ai(«i,«2)|^2(«2,«3)|A3(«3,«4)|A4(«4, "5)1^1 («5,«6)|A2(«6,«7)|^3(«7,«8)|A4K,«l) 

Indeed, any edge here has exactly the same "local view" of the graph as the corresponding G of the 
rewriting rule. So, an handshaking takes place. Roughly, if a graph Jq triggers a rewriting in the encoding, 
then each "bisimilar" graph Ji will trigger the same rewriting. 
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A possible solution to capture graph rewriting in an exact way would be to mention all the vertices 
in each contract. That is, edge Ai would use pAi{ni,n2,x,y), while edge A2 would use pA2{w,n2,n3,z), 
and so on, using fresh variables for each locally-unknown node. Then, we would need the fuse prefix to 
match these variables as well, hence precisely establishing the embedding a of Def. [TOl The semantics 
of fuse introduced in 121 allows for such treatment. 

5 Discussion 

We have investigated primitives for contract-based interaction. Such primitives extend those of Concur- 
rent Constraints, by allowing a multi-party mechanism for the fusion of variables which well suites to 
model contract agreements. We have shown our calculus expressive enough to model a variety of typi- 
cal contracting scenarios. To do that, we have also exploited our propositional contract logic PCL lH 
to deduce the duties inferred from a set of contracts. Finally, we have encoded into our calculus some 
common idioms for concurrency, among which the ;r-calculus and graph rewriting. 

Compared to the calculus in 121, the current one features a different rule for managing the fusion 
of variables. In IS, the prefix fuse^ c picks from the context a set of variables y (like ours) and a set 
of names m (unlike ours). Then, the (minimal) fusion a causes the variables in xy to be replaced with 
names in nfh, where n is fresh, and o{x) = n. The motivation underneath this complex fusion mechanism 
is that, to establish a session in [2|, we need to instantiate the variables y which represent the identities 
of the principals involved in the handshaking. Similarly, join^c is allowed to instantiate a set of variables 
X. Instead, in this paper, to present our expressivity results we have chosen a simplified version of the 
calculus, where fusCvC considers a single name, and join^c a single variable. At the time of writing, we 
do not know whether the simplified calculus presented here is as expressive as the calculus of IH. The 
contract-related examples shown in this paper did not require the more sophisticated rules for fuse , nor 
did the encodings of most of the concurrency idioms. As a main exception, we were unable to perfectly 
encode graph rewriting in our simplified calculus; the difficulty there was that of distinguishing between 
bisimilai- graphs. We conjecture that the more general fusion of lH is needed to make the encoding 
perfect; proving this would show our simplified calculus strictly less expressive than the one in Q. 

In our model of contracts we have abstracted from most of the implementation issues. For instance, in 
insecure environments populated by attackers, the operation of exchanging contracts requires particular 
care. Clearly, integrity of contracts is a main concern, so we expect that suitable mechanisms have to be 
applied to ensure that contracts are not tampered with. Further, establishing an agreement between par- 
ticipants in a distributed system with unreliable communications appears similar to establishing common 
knowledge among the stipulating parties IIT6I . so an implementation has to cope with the related issues. 
For instance, the fuse^ prefix requires a fresh name to be delivered among all the contracting parties, so 
the implementation must ensure everyone agrees on that name. Also, it is important that participants can 
be coerced to respect their contracts after the stipulation: to this aim, the implementation should at least 
ensure the non repudiation of contracts 11261 . 

Negotiation and service-level agreement are dealt with in cc-pi a calculus combining features 

from concurrent constraints and name passing; Q adds rules for handling transactions. As in the 7i- 
calculus, synchronization is channel-based: it only happens between two processes sharing a name. 
Synchronization fuses two names, similarly to the fusion calculus and ours. A main difference between 
cc-pi and our calculus is that in cc-pi only two parties may simultaneously reach an agreement, while 
our fuse allows for simultaneous multi-party agreements. Also, in our calculus the parties involved in 
an agreement do not have to shai^e a pre-agreed name. This is useful for modelling scenarios where a 
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contract can be accepted by any party meeting the required terms (see e.g. Ex.[3]l. 

In |[T2l contracts are CCS-like processes. A client contract is compliant with a service contract if any 
possible interaction between the client and the service will always succeed, i.e. all the expected synchro- 
nizations will take place. This is rather different from what we expect from a calculus for contracts. For 
instance, consider a simple buyer-seller scenario. In our vision, it is important to provide the buyer with 
the guarantee that, after the payment has been made, then either the payed goods are made available, 
or a refund is issued. Also, we want to assure the seller that a buyer will not repudiate a completed 
transaction. We can model this by the following contracts in PCL: Buyer = (shipV refund) pay, and 
Seller = pay ^ (ship V refund). Such contracts lead to an agreement. The contracts of |[T2l would have a 
rather different form, e.g. Buyer = pay. (ship + refund) and Seller = pay. (ship© refund), where + and © 
stand respectively for external and internal choice. This models the client outputting a payment, and then 
either receiving the item or a refund (at service discretion). Dually, the service will first input a payment, 
and then opt for shipping the item or issuing a refund. This is quite distant from our notion of contracts. 
Our contracts could be seen as a declarative underspecified description of which behavioural contracts 
are an implementation. Behavioural contracts seem more rigid than ours, as they precisely fix the or- 
der in which the actions must be performed. Even though in some cases this may be desirable, many 
real-world contracts allow for a more liberal way of constraining the involved parties (e.g., "I will pay 
before the deadline"). While the crucial notion in |[T2l is compatibility (which results in a yes/no output), 
we focus on the inferring the obligations that arise from a set of contracts. This provides a fine-grained 
quantification of the reached agreement, e.g. we may identify who is responsible of a contract violation. 

Our calculus could be exploited to enhance the compensation mechanism of long-running transac- 
tions SUKTOl. There, a transaction is partitioned into a sequence of smaller ones, each one associated 
with a compensation, to be run upon failures of the standard execution. While in long-running transac- 
tions clients have little control on the compensations (specified by the designer), in our approach clients 
can use contracts to select those services offering the desired compensation. 

An interesting line for future work is that of comparing the expressiveness of our calculus against 
other general synchronization models. Our synchronization mechanism, based on the local minimal 
fusion policy and PCL contracts, seems to share some similarities with the synchronization algebras 
with mobility ifTSl . Indeed, in many cases, it seems to be possible to achieve the synchronization defined 
by a SAM through some handshaking in our model. We expect that a number of SAMs can be encoded 
through suitable PCL contracts, without changing the entailment relation. Dually, we expect that the 
interactions deriving from a set of contracts could often be specified through a SAM. 

Another general model for synchronization is the BIP model ||3l. Here, complex coordination 
schemes can be defined through an algebra of connectors. While some of these schemes could be mod- 
elled by contracts, encoding BIP priorities into our framework seems to be hard. Actually, the only 
apparent link between priorities and our calculus is the minimality requirement on fusions. However, our 
mechanism appears to be less general. For instance, BIP allows maximal progress as its priority relation, 
which conti'asts with the minimality of our fusions. 



Acknowledgments. Work partially supported by MIUR Project SOFT, and Autonomous Region of 
Sardinia Project TESLA. 



82 



Primitives for Contract-based Synctironization 



References 

[1] Massimo Bartoletti and Roberto Zunino. A logic for contracts. Technical Report DISI-09-034, DISI - 
Universita di Trento, 2009. 

[2] Massimo Bartoletti and Roberto Zunino. A calculus of contracting processes. In Proc. LICS, 2010. 

[3] Simon Bliudze and Joseph Sifakis. The algebra of connectors — structuring interaction in BIP. IEEE Trans- 
actions on Computers, 57(10), 2008. 

[4] Laura Bocchi, Cosimo Laneve, and Gianluigi Zavattaro. A calculus for long running transactions. In Proc. 
F MOODS, 2003. 

[5] Roberto Bruni, Hernan C. Melgratti, and Ugo Montanari. Theoretical foundations for compensations in flow 
composition languages. In Proc. POPL, 2005. 

[6] Roberto Bruni and Ugo Montanari. Models for open transactions (extended abstract). Technical Report 
RR-385, Department of Informatics, University of Oslo, 2009. 

[7] Maria Grazia Buscemi and Hernan C. Melgratti. Transactional service level agreement. In Proc. TGC, 2007. 

[8] Maria Grazia Buscemi and Ugo Montanari. CC-Pi: A constraint-based language for specifying service level 
agreements. In Proc. ESOP, 2007. 

[9] Maria Grazia Buscemi and Ugo Montanari. Open bisimulation for the Concurrent Constraint Pi-Calculus. In 
Proc. ESOP, 2008. 

[10] Michael J. Butler, C. A. R. Hoare, and Carla Ferreira. A trace semantics for long-running transactions. In 
Communicating Sequential Processes: The First 25 Years, 2004. 

[1 1] Samuele Carpineti and Cosimo Laneve. A basic contract language for web services. In Proc. ESOP, 2006. 

[12] Giuseppe Castagna, Nils Gesbert, and Luca Padovani. A theory of contracts for web services. ACM Trans, 
on Prog. Lang, and Systems, 31(5), 2009. 

[13] Giuseppe Castagna and Luca Padovani. Contracts for mobile processes. In Proc. CONCUR, 2009. 

[14] David Gelernter. Generative communication in Linda. ACM Trans, on Prog. Lang, and Systems, 7(1), 1985. 

[15] Daniele Gorla. Towards a unified approach to encodability and separation results for process calculi. In Proc. 
CONCUR, 2008. 

[16] Joseph Y. Halpern and Yoram Moses. Knowledge and common knowledge in a distributed environment. J. 
ACM, 37(3), 1990. 

[17] Ivan Lanese and Ugo Montanari. Mapping fusion and synchronized hyperedge replacement into logic pro- 
gramming. Theory and Practice of Logic Programming, 7(1-2), 2007. 

[18] Ivan Lanese and Emilio Tuosto. Synchronized hyperedge replacement for heterogeneous systems. In CO- 
ORDINATION, 2005. 

[19] Robin Milner, Joachim Parrow, and David Walker. A Calculus of Mobile Processes, I and II. Information 
and Computation, 100(1), 1992. 

[20] Luca Padovani. Contract-based discovery and adaptation of web services. In Proc. SFM, 2009. 

[2 1 ] Grzegorz Rozenberg, editor. Handbook of graph grammars and computing by graph transformation: volume 
I. foundations. World Scientific Publishing Co., Inc., 1997. 

[22] Davide Sangiorgi and David Walker The n-calculus: A Theory of Mobile Processes. Cambridge University 
Press, 2001. 

[23] Vijay Saraswat. Concurrent Constraint Programming. MIT Press, 1993. 

[24] Vijay Saraswat, Prakash Panangaden, and Martin Rinard. Semantic foundations of concurrent constraint 
programming. In Proc. POPL, 1991. 

[25] Anne Troelstra and Dirk van Dalen. Constructivism in Mathematics, vol. 1. North-Holland, 1988. 

[26] Jianying Zhou. Non-repudiation in Electronic Commerce. Artech House, 2001. 



